~

features/fedramp_extensions.feature

@@ -42,7 +42,6 @@ Examples:
   | component-has-used-by-link |
   | component-type |
   | connection-security |
-  | connection-security |
   | control-implementation-status |
   | data-center-alternate |
   | data-center-count |
@@ -360,6 +359,8 @@ Examples:
   | has-system-name-short-PASS.yaml |
   | has-user-guide-FAIL.yaml |
   | has-user-guide-PASS.yaml |
+  | high-impact-inventory-item-has-asset-owner-FAIL.yaml |
+  | high-impact-inventory-item-has-asset-owner-PASS.yaml |
   | image-has-checksum-FAIL.yaml |
   | image-has-checksum-PASS.yaml |
   | implementation-status-has-remarks-FAIL.yaml |
@@ -394,6 +395,10 @@ Examples:
   | inventory-item-allows-authenticated-scan-PASS.yaml |
   | inventory-item-and-component-has-public-FAIL.yaml |
   | inventory-item-and-component-has-public-PASS.yaml |
+  | inventory-item-has-function-FAIL.yaml |
+  | inventory-item-has-function-PASS.yaml |
+  | inventory-item-has-scan-type-FAIL.yaml |
+  | inventory-item-has-scan-type-PASS.yaml |
   | inventory-item-has-software-name-FAIL.yaml |
   | inventory-item-has-software-name-PASS.yaml |
   | inventory-item-has-software-version-FAIL.yaml |

src/validations/constraints/fedramp-external-constraints.xml

@@ -667,7 +667,7 @@
             </expect>
             <expect id="image-has-checksum" target="//component[@type='software' and ./prop[@name='asset-type' and @value='image']]" test="count(./prop[@name='checksum' and @ns='http://fedramp.gov/ns/oscal']) = 1" level="ERROR">
                 <formal-name>Container Image Has Checksum Property</formal-name>
-                <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="insert-help-url-here"/>
+                <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/4-ssp-template-to-oscal-mapping/#leveraged-fedramp-authorized-services"/>
                 <message>In a FedRAMP SSP, a component that describes a container or operating system image MUST define a checksum property.</message>
             </expect>
             <expect id="information-type-has-class" target="component/prop[@name='information-type' and @ns='http://fedramp.gov/ns/oscal']" test="exists(@class)" level="ERROR">
@@ -732,18 +732,6 @@
 
         </constraints>
     </context>
-
-    <context>
-        <metapath target="/system-security-plan/system-implementation"/>
-        <constraints>
-            <expect id="inventory-item-or-component-has-asset-id" target="(inventory-item)| (component[@type='software' and prop[@name='asset-type' and @value='image']])" test="count(prop[@name='asset-id']) = 1" level="ERROR">
-                <formal-name>Inventory Item or Component Has Asset ID</formal-name>
-                <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/5-attachments/#system-inventory-approach"/>
-                <message>In a FedRAMP SSP, each inventory item and software image component MUST include the asset ID.</message>
-            </expect>
-        </constraints>
-    </context>
-
     <context>
         <metapath target="/system-security-plan/system-implementation/inventory-item"/>
         <constraints>
@@ -754,6 +742,7 @@
                 <formal-name>Inventory Item Has Software Name</formal-name>
                 <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/5-attachments/#system-inventory-approach"/>
                 <message>In a FedRAMP SSP, each inventory item MUST include the software name in the inventory item itself or within the linked component.</message>
+            </expect>
             <expect id="inventory-item-has-software-version" target=".[prop[@name='asset-type' and @value=('operating-system', 'container', 'image')] or ../component[uuid=$component-uuid and type='software']]" test="count(prop[@name=('software-version', 'os-version')]) = 1 or count(../component[@uuid=$component-uuid]/prop[@name=('software-version', 'os-version')]) = 1" level="ERROR">
                 <formal-name>Inventory Item Has Software Version</formal-name>
                 <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/5-attachments/#system-inventory-approach"/>
@@ -769,11 +758,11 @@
                 <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/5-attachments/#system-inventory-approach"/>
                 <message>In a FedRAMP SSP, each inventory item MUST include the vendor name in the inventory item itself or within the linked component.</message>
             </expect>
-<expect id="scan-type-has-remarks" target="..//prop[@name='scan-type' and @ns='http://fedramp.gov/ns/oscal' and @value=('other','not-applicable')]" test="exists(remarks)" level="ERROR">
-    <formal-name>Scan Type Has Remarks</formal-name>
-    <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/5-attachments/#system-inventory-approach"/>
-    <message>When scan-type is 'other' or 'not-applicable', remarks MUST be provided to explain the selection.</message>
-</expect>
+            <expect id="scan-type-has-remarks" target="..//prop[@name='scan-type' and @ns='http://fedramp.gov/ns/oscal' and @value=('other','not-applicable')]" test="exists(remarks)" level="ERROR">
+                <formal-name>Scan Type Has Remarks</formal-name>
+                <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/5-attachments/#system-inventory-approach"/>
+                <message>When scan-type is 'other' or 'not-applicable', remarks MUST be provided to explain the selection.</message>
+            </expect>
         </constraints>
     </context>
     <context>